Apple UDIDs Compromised: What You Need to Know

News broke this morning that AntiSecpublicly posted 1,000,001 Apple UDIDs (Universal Device IDs) allegedly retrieved from an FBI computer. The group claims that in addition to a supposed 12 million UDIDs, it also gathered usernames, device names, push tokens, zip codes, cell phone numbers, and addresses for the corresponding UDIDs in the original leak, although they were not made public with the sampling that was posted.

At this point there’s a fair amount of speculation about the situation, but we wanted to clarify what LastPass users should know:

We released a tool: https://lastpass.com/udid to check if your UDID was on the list. Note that yours could still be one of the alleged 11 million not publicly released, so caution is still recommended.

The leaked UDIDs in and of themselves do not pose a serious risk to users. However, there’s cause for concern when UDIDs are paired with personally-identifiable information, which the hackers indicate they have in the original data set, although there’s no proof at this time. Combined with your name, address, mobile number, and the types of Apple devices you own, identity theft and social engineering are potential threats.

Apple has moved away from allowing apps to utilize the UDID for their own purposes, but has only recently enforced this on updates. Services could still be utilizing the UDID as their entire authentication, which means you enable a certain device (UDID) to have access to the service. An attacker who has your UDID could gain access to those accounts, it’s likely not highly sensitive data but could still pose a risk to tracing a UDID to a specific individual.

The leak is not a threat to LastPass user accounts. LastPass used to utilize the UDID as a secondary factor for logging in on iOS, instead of your standard secondary factor (ie your YubiKey), but late last year we switched to a random identifier that we store on the device that is independent of the UDID, and all old UDIDs were disabled.

The best steps LastPass users can take at this time:

Although passwords were not on the list of data supposedly compromised, it’s never a bad time to check that your passwords are strong and unique. Run the LastPass Security Check (in the LastPass icon’s Tools menu) to identify any weak and duplicate passwords, and prioritize updating them.

You have to choose your right balance. We actively trade some of our privacy for convenience. –Here you are on the innerwebs leaving your identifiable information on lastpass.com to post about letting people have information. Please go disconnect from everything and then march straight into the wilderness where people like you belong. Unless, you like trading your privacy for convenience. In that case sit down and shut up.

I’ve been into computers hardcore for about a decade and a half. I work in data now. I <3 command line.

First and foremost because a lot of it is public information– because you put it in places that people like me can find it.

Also, a way the authorities gather information is by investigating criminals. You think the FBI shreds the criminal’s hard drives and then throws the data away? Nope, they ‘investigate’ and then process the data which is usually stored– if it isn’t more trouble than it is worth. I know I am in that data, you probably are too.

Search

What is LastPass?

LastPass simplifies your online life by remembering your passwords for you. With LastPass to manage your logins, it's easy to have a strong, unique password for every online account and improve your online security. Get started today - it's free.

Subscribe

Archives

Archives

Translation

What is LastPass?

LastPass simplifies your online life by remembering your passwords for you. With LastPass to manage your logins, it's easy to have a strong, unique password for every online account and improve your online security. Get started today - it's free.